/cdn.vox-cdn.com/uploads/chorus_asset/file/23249791/VRG_ILLO_STK001_carlo_cadenas_cybersecurity_virus.jpg?w=1068&resize=1068,0&ssl=1 "Fake Pilots, Real Security Breach: TSA Rosters Hacked By Researchers")
A Security Flaw in the Sky: How a Vulnerability Threatens Airline Security
In August 2023, security researchers Ian Carroll and Sam Curry made a startling discovery: a vulnerability in a third-party system used by the Transportation Security Administration (TSA) to verify airline crew members at airport security checkpoints. This flaw, exploitable by anyone with "basic knowledge of SQL injection," could have allowed unauthorized individuals to gain access to secure airport areas and potentially even the cockpit of a commercial aircraft. This alarming discovery sheds light on the vulnerability of critical infrastructure and highlights the crucial need for robust security measures in an age of increasing cyber threats.
The vulnerability resided in the FlyCASS system, provided by a third-party vendor to smaller airlines. FlyCASS serves as a gateway to the TSA’s Known Crewmember (KCM) and Cockpit Access Security System (CASS) systems. Through these systems, TSA verifies the identity of airline crew members, allowing them expedited access through security checkpoints and onto the flight deck.
Carroll and Curry, while probing FlyCASS, discovered that a simple apostrophe entered into the username field triggered a MySQL error. This indicated a glaring vulnerability—the username, it seems, was being directly incorporated into the login SQL query without proper sanitization. This allowed them to exploit the system using a technique called SQL Injection.
SQL Injection is a common web security vulnerability that allows attackers to manipulate queries sent to a database. By inserting malicious code into the query, attackers can gain unauthorized access to data, modify existing information, or even take control of the database itself.
In this instance, Carroll and Curry successfully used SQL Injection to gain administrative access to FlyCASS, using the username " ‘ or ‘1’=’1" and a specific password.
"This was a very bad sign, as it seemed the username was directly interpolated into the login SQL query. Sure enough, we had discovered SQL injection and were able to use sqlmap to confirm the issue. Using the username of ‘ or ‘1’=’1 and password of ‘) OR MD5(‘1’)=MD5(‘1, we were able to login to FlyCASS as an administrator of Air Transport International!" – Ian Carroll, security researcher
Once inside FlyCASS, the researchers found that there were no further security checks or authentication measures preventing them from adding crew records and photos for any airline utilizing the system. By exploiting this vulnerability, individuals could have potentially created false crew member records, allowing them to present fake employee numbers at KCM checkpoints, potentially bypassing airport security and gaining access to restricted areas.
The potential impact of this vulnerability is significant. It could have allowed unauthorized individuals to:
- Bypass airport security: An individual could exploit the vulnerability to create a fake crew member profile, enabling them to pass through KCM checkpoints.
- Gain unauthorized access to secure areas: Once inside the secure area, the individual could potentially access sensitive information, interfere with airport operations, or even attempt to reach the aircraft.
- Gain access to the aircraft: In a worst-case scenario, an individual could potentially gain access to the aircraft itself, posing a serious security threat.
However, the TSA maintains that the vulnerability did not pose a significant security risk, as their reliance on FlyCASS for authentication was limited.
"TSA does not solely rely on this database to authenticate flight crew, and that “only verified crewmembers are permitted access to the secure area in airports." – R. Carter Langston, TSA press secretary
While acknowledging the vulnerability, the TSA insists that its internal protocols and additional security measures prevented any real-world harm. However, this incident raises important questions about the security of third-party systems used by government agencies and the potential consequences of relying on external vendors for critical infrastructure.
The FlyCASS vulnerability underscores several crucial points about cybersecurity in the contemporary world:
- The importance of robust security practices: The vulnerability highlights the need for comprehensive and rigorous security practices across all systems, especially those handling sensitive data or critical infrastructure.
- Third-party risk management: Organizations must carefully scrutinize and manage the risks associated with relying on third-party vendors for critical functions. Regular security audits and vulnerability assessments of these systems are paramount.
- Importance of secure coding: Developers must employ secure coding practices to prevent vulnerabilities like SQL injection.
- The need for continuous monitoring: Robust security requires continuous vigilance and proactive monitoring for potential threats, vulnerabilities, and attacks.
This incident serves as a stark reminder of the ongoing threat posed by cyberattacks to critical infrastructure. The vulnerability exposed in FlyCASS highlights the need for robust security measures, constant vigilance, and collaborative efforts to safeguard against potential threats. As technology evolves and cyber threats become more sophisticated, it is crucial for organizations, including government agencies, to prioritize cybersecurity and invest in robust security protocols to protect themselves and their users.
